Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove UCCU Ransomware and Restore The .uccu Encrypted Files

fix-your-malware-problem-sensorstechforumRansomware virus reported to set the .uccu file extension on the files it has encrypted has been detected in different places around the globe. It is a mystery what “uccu” stands for, but one detail is confirmed – this specific ransomware uses a strong AES encryption algorithm. In addition to that the virus, has a very wide scope of the type of files it encrypts and its origins are so far a mystery. All users who have been affected by UCCU Ransomware should NOT pay any ransom money requested in its note and remove the virus using an advanced anti-malware tool. To revert any .uccu files, so far a decryptor has not been developed, but you can check this article for alternative solutions regarding partial file restoration.

Threat Summary

Type Ransomware
Short Description The ransomware encrypts files with the strong AES cipher and asks a ransom payment for decryption.
Symptoms Files are enciphered and become inaccessible. A ransom note with instructions for paying the ransom may appear on the user’s computer.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by UCCU


Malware Removal Tool

User Experience Join our forum to Discuss Locky Ransomware.

UCCU Ransomware – Methods of Infection

For UCCU Ransomware to successfully infect users with high success rate, it may use several tools that assist in the process of masking its files and slipping past undetected:

  • Program obfuscators.
  • Exploit Kits.
  • Redirecting URLs.
  • Malicious JavaScript codes.
  • File archives.

Such tools not only allow for the malicious executable to run with escalated privileges and unnoticed but they also give the cyber-criminals many possibilities, like spreading it via spam e-mails with web links like the example below:

UCCU Ransomware – In Depth Analysis

As soon as its payload is dropped on the infected computer, it may be located in one of the following Windows folders:

  • %AppData%
  • %Documents%
  • %User’s Profile%
  • %Roaming%
  • %Local%

The executable of the malware may have the following rather vulgar name:


In addition to that, UCCU Ransomware may create a registry entry in the RUN and RUNONCE keys for the “f*ckgod_jesu_crypt” executable file to start along with Windows and begin encrypting files. The Run and RunOnce keys in which this value string may be located are the following:


In addition to that, UCCU may delete the Shadow Copies of the infected computer, by executing the vssadmin command with one of its many parameters, for example:

vssadmin delete shadows /for={Volume of the drive, for example C:} /all

The encryption process has a wide scope of files which are targeted. The most used file extensions are encrypted, but the ransomware evades the file extensions which contain important files that can break Windows. The file types targeted are the following:

.png .3dm .3g2 .3gp .aaf .accdb .aep .aepx .aet .ai .aif .arw .as .as3 .asf .asp .asx .avi .bay .bmp .cdr .cer .class .cpp .CR2 .crt .CRW .cs .csv .db .dbf .dcr .der .dng .doc .docx .docb .docm .dot .dotm .dotx .dwg .dxf .dxg .efx .eps .erf .fla .flv .idml .iff .indb .indd .indl .indt .inx .jar .java .jpeg .jpg .kdc .m3u .m3u8 .m4u .max .mdb .mdf .mef .mid .mov .mp4 .mpa .mp3 .mpeg .mpg .mrw .msg .NEF .nrw .odb ODC-.odm .odp .ods .odt .orf .p12 .P7B .p7c .pdb .pdf .pef .pem .pfx .php .plb .pmd .pot .potm .potx .ppam .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .pst .ptx .r3d .ra .raf .rar .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .x3f .xla WPS-.xlam .xlk .xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xqx .zip Source: Malwr.com

In addition to that, the ransomware may perform other activities, like:

  • Hide the encrypted files from the user.
  • Leave a .txt file, picture or an HTML file which contain instructions on how to pay the ransom in Bitcoin.

Remove UCCU Ransomware and Restore Your Encoded Files

To fully delete this ransomware virus from your computer, we advise you to take into consideration that it may have also created other files on your computer when manually removing it. For maximum effectiveness, experts recommend using a more automatic approach – an advanced anti-malware scanner which will automatically, safely and effectively eradicated UCCU Ransomware from your PC.

If you wish to decrypt your files, follow this article – we will update it at its start (above) as soon as there is a working decryptor released for free. In the meantime, you may want to try using the methods in step “3. Restore files encrypted by UCCU” below. They are no guarantee that you will get any files back, but some users have reported recovering at least a minimal portion of the files using them.

Manually delete UCCU from your computer

Note! Substantial notification about the UCCU threat: Manual removal of UCCU requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove UCCU files and objects
2.Find malicious files created by UCCU on your PC
3.Fix registry entries created by UCCU on your PC

Automatically remove UCCU by downloading an advanced anti-malware program

1. Remove UCCU with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by UCCU in the future
3. Restore files encrypted by UCCU
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.